My organization uses Qualys to scan web applications. It picked up my REST endpoints and flagged them with a level 5 high vulnerability and now I have people in the security department telling me I need to fix it.
This is the summary of the problem: https://blog.qualys.com/product-tech/2023/02/09/blind-sql-injection-content-based-time-based-approac...
True condition payload is ‘ AND 1=1
This condition is true, so available records are returned, which is the same as if the payload was the item by itself.
False condition payload is ‘ AND 1=2
The condition is false, so no records are returned and the output is nothing or a message such as No Results Found.
Seeing the difference in results, the scanning engine draws the conclusion that there is a blind SQL injection vulnerability.
If I understand this correctly, for it not to get flagged, I'd need the REST API to return the same result set for the true query "1=1" and the false query "1=1 AND 1=2" in the "where=" request parameter.
Firstly, am I reading this right? Secondly, is there any advice on how to either fix this, so it's no longer flagged as a vulnerability or convince the security department that this is not a vulnerability?
I'm Using ArcGIS Server 11.4.0 with standardizedQueries: "true" set and querying FeatureServices. (I've also tried turning off standardizedQueries as well, and it gives the same result)
The exact queries the scan used are:
- False: '1=11 or 11=12'
- True: '1=11 or 11=11'.
